We will be performing site maintenance on AAOS.org on February 8th from 7:00 PM – 9:00 PM CST which may cause sitewide downtime. We apologize for the inconvenience.


Published 9/1/2017
Michael R. Marks, MD, MBA; Michael Sacopulos, JD

Top 10 HIPAA Mistakes for Practices to Avoid

The Health Insurance Portability and Accountability (HIPAA) Act of 1996 continues to challenge every medical practitioner. A recent discussion on the current state of HIPAA revealed the top 10 mistakes that practices make during implementation.

This year has been rough in terms of privacy. The Office of Civil Rights (OCR) has consistently levied stiff financial penalties on those who violate HIPAA rules. Hacking and ransomware attacks are more frequently in the news. If the confidentiality of patient medical records is not to become a quaint idea of a bygone age, practices need to be proactive. The following mistakes can be avoided, putting your practice on the way to patient privacy protection and HIPAA compliance.

No. 10: Failure to have Business Associate Agreements in place
A Business Associate is a person or entity to whom you provide patient information. These may include third-party billing companies and the service that shreds old documents. Most practices have many Business Associates. The OCR has a free online Business Associate Agreement template that can easily be downloaded.

It is the practice's responsibility to have Business Associate Agreements in place. This has been a requirement for some years, and the OCR will not be lenient on practices that don't have a simple form in place.

No. 9: Not understanding the scope of PHI
PHI stands for Protected Health Information. This is the category of information that is protected by HIPAA. Sadly, many people assume that it is restricted to documents with patient names, Social Security numbers, or identifiable photographs. Although these are PHI, the full definition is much broader.

Federal law defines PHI as having 18 different categories. Any characteristic that could reasonably be associated with an individual counts as PHI. This means the patient's computer IP address is PHI. Patients' email addresses are also PHI. The list goes on and on. Practices are required to protect all information that can be identified with a patient by someone somewhere out there. Do not fall into the trap of thinking that PHI applies only to patients' names and Social Security numbers.

No. 8: Failure to properly dispose of old PHI
So much attention has been given to electronic information that we may forget or overlook the need to protect against old-school breaches. Recently, an entity in Texas tossed a large number of patient charts in a dumpster. These breaches are not that uncommon. Remember to be just as careful with paper containing PHI as you are with electronic data containing PHI.
No. 7: Sharing passwords
It seems obvious, doesn't it? No one should share passwords. However, a recent study found that almost 15 percent of those working in the medical field have shared passwords. Even more people have what could be categorized as a weak password. Your first name, last initial, or 1234 do not count as passwords. Take cybersecurity more seriously and use high-quality passwords.

No. 6: No annual staff privacy training
Physicians are usually well versed in privacy issues. However, their staff are often less well trained on the finer points of HIPAA and patient privacy. Federal law requires that staff be trained annually on patient privacy issues. A little training goes a long way toward protecting health information and keeping the practice safe.

No. 5: Thinking it is okay to post patient content without a name or face shown
This mistake is tied to Number 9—not understanding the full scope of PHI. Social media encourages online posts. Medical staff members may feel comfortable posting comments as long as they don't use the patient's name. But social media posts can be linked to individuals.

Physicians have had their licenses suspended for posting patient content later linked to the specific individual. Sadly, it's all too common. Warn staff members that people can take the information they post and identify the person they described.

No. 4: Emailing and texting patients without a security plan
Large amounts of information flow through unencrypted emails or unsecured texts to patients on a daily basis. Sending unencrypted emails and unsecured text through cyberspace is much like sending a postcard through the U.S. Postal Service. Along the route, the contents can be easily read by anyone. A patient may give permission to receive an unencrypted email or unsecured text. However, practices often send detailed information without permission or without any kind of security plan for the information being transmitted. The result is a potential patient privacy violation.

No. 3: No encryption of mobile devices
This is a huge area of activity by the OCR. Unencrypted laptops stolen out of cars and smartphones that are lost before encryption are constant sources of patient privacy breaches. Taking the time to encrypt mobile devices will save you much grief and expense if they go missing.

No. 2: Not purchasing cyber insurance
If your practice does not have cyber insurance, stop reading this list now and call your broker. Anyone in practice today who keeps electronic patient information needs to have cyber insurance. The cyber insurance, occasionally included in medical liability policies, is rarely adequate either in terms of breadth or extent of coverage. As a result, these policies rarely make any real difference in the event of a cyber crime. The cost associated with even a moderately sized electronic breach can be catastrophic for practices. Get cyber insurance.

No. 1: No current risk assessment
The first document the OCR asks for when doing an investigation is a risk assessment. Under the law, risk assessments must be performed on a routine (annual) basis.

Because the OCR oversees HIPAA enforcement at the federal level, and they believe this is a critical document to have in place, you should also believe this. Fines and penalties have been assessed for practices that do not have a current risk assessment in place. The process of creating a risk assessment helps raise issues and identify areas of weak patient privacy so that they may be corrected. This should be high on your "to-do list."

Patient privacy compliance is an ongoing task. If you avoid the 10 mistakes above, your practice will keep patient information safe and move you well toward being compliant.

Michael R. Marks, MD, MBA, is president of Marks Healthcare Consulting; he serves as a mentor in the AAOS Communications Skills Mentoring Program and TeamSTEPPS, and is a member of the AAOS Medical Liability and Patient Safety Committees. He can be reached at mmarks1988@gmail.com.

Michael J. Sacopulos, JD, is president of the Medical Risk Institute and general counsel for Medical Justice Services. He may be reached at msacopulos@medriskinstitute.com.

18 HIPAA Identifiers

  1. Name
  2. Address (all geographic subdivisions smaller than state, including street address, city, county, and zip code)
  3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if older than 89)
  4. Telephone numbers
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate or license number
  12. Any vehicle and serial number, including license plate
  13. Device identifiers and serial number
  14. Web URL
  15. Internet Protocol (IP) Address
  16. Biometric identifier - finger or voice print
  17. Photographic image - photographic images are not limited to
    images of the face
  18. Any other characteristic that could uniquely identify the individual

(Modified from: http://cphs.berkeley.edu/hipaa/hipaa18.html)

Editor's note: Articles labeled Orthopaedic Risk Manager (ORM) are presented by the Medical Liability Committee under the direction of John P. Lyden, MD, and Michael R. Marks, MD, MBA, ORM co-editors. Articles are provided for general information and are not legal advice; for legal advice, consult a qualified professional. Email your comments to feedback-orm@aaos.org or contact this issue's contributors directly.